Threat Intelligence is Not Intellectual Property

The breadth and depth of threat intelligence is a primary differentiating factor for security vendors is a widely held assumption in the security industry that we collectively need to disprove and change our perspective on.

When vendors and individuals attempt to keep threat intelligence private, they limit the ability of the entire group to identify and mitigate new threats as they are developed and launched against organizations. The days when IPS signatures and host-based anti-malware products were enough to secure your network are long gone. Sophisticated adversaries are constantly deploying new methods of evading detection. Whether this is in the form of new exploits, rapidly changing malware, or new attack vectors, it is clear that successful data breaches continue to escalate.

The velocity of attacks, both in volume and method, also continues to increase—meaning the quicker your security solutions gain access to relevant intelligence, the safer you become. Specifically, your solutions must be able to turn indicator sets on campaigns and adversary groups into new prevention mechanisms to stop attacks. This is an important distinction, as malware is so easily changed, that simply adding new signatures that look for a specific file is not nearly enough. In contrast, Indicators of Compromise (IOCs), such as the IP address for an attacker’s command-and-control communication infrastructure, are common across entire campaigns or attack groups.

When looking at the common language of threat intelligence, security vendors often fall into the “big numbers” trap, where they tout how they have “billions” or even “trillions” of events. That is often the easy way out, and doesn’t actual provide insight into how relevant or valuable these events are. They certainly sound impressive when projected on a big screen during a conference, but many are likely commodity indicators on the common attacks everyone already knows about. While breadth of intelligence is important, even the largest sensor network in the world is limited by its very nature. It only has insight into the events it can directly observe, from members of the collective.

To illustrate this point, let’s play the math out:

• Medium-sized security vendors have 30,000 customers each. Let’s assume for the sake of simplicity that there are twenty of these in the world. This means there is the potential for these twenty vendors to be receiving intelligence from 600,000 users on the threats they are observing.

• Large security vendors have 100,000 customers each, and let us assume there are five of them. In total, these large vendors could be receiving data from 500,000 customers.

In this scenario, there are 1.1 million potential customers who could be contributing intelligence to help protect other organizations. The problem is that no security vendor is seeing more than 11 percent of the total intelligence being created! In the real world, there are of course even more organizations providing security solutions, meaning these numbers are orders of magnitude larger.

As a security leader, what if your vendor told you they could only stop 10% of all possible attacks? Would you be satisfied with that response? This is essentially what the industry’s response has been up until this point. Now consider the value security vendors could provide to the security community if they shared threat intelligence in a free and open manner. The attackers do not care which product you have protecting your network, and your security posture should not be limited by this. This is not to say every vendor will be equal in terms of innovation and ways to implement this common intelligence to prevent attacks, but we should judge them on those metrics, versus the size of their database.

In order to change this belief, we must push for change. The next time you are talking with your vendor of choice, ask them the following question:

• Are they sharing threat intelligence with their peers?

• Can they create new protections from shared intelligence?

• Are they members of industry-level threat intelligence sharing groups?

• How are they working with government entities to share data between public and private?

There are some organizations attempting to pioneer this new way forward, including the Cyber Threat Alliance, founded by Fortinet, Intel Security, Palo Alto Networks, and Symantec, and at an industry peer level with the ISACs. In addition to helping push vendors to change, consider how you can joint these types of organizations, and share intelligence with your peers.

Scott Simkin is a Senior Manager in the Cybersecurity group at Palo Alto Networks. He has broad experience across threat research, cloud-based security solutions, and advanced anti-malware products. He is a seasoned speaker on an extensive range of topics, including Advanced Persistent Threats (APTs), presenting at the RSA conference, among others. Prior to joining Palo Alto Networks, Scott spent 5 years at Cisco where he led the creation of the 2013 Annual Security Report amongst other activities in network security and enterprise mobility. Scott is a graduate of the Leavey School of Business at Santa Clara University.